I just got up and running with IPv6 on my Comcast internet connection. However I'm only able to grab a single /64 prefix currently. I've heard that you can grab as many /64s "as you can eat" from Comcast, and that it is just a matter of configuring my client correctly. Currently I'm using OpenBSD 5.2 as my Internet Router, with the interfaces being:

Code:

em0 : outsideem1: insideem2: dmz

I currently have a /128 assigned via DHCPv6 on the outside interface, and a /64 assigned via DHCPv6 on the inside interface (2601:1:8480:x::/64). I would ideally like to assign another /64 to my DMZ, but haven't figured out quite how to do this yet. Here is my current config:

If anyone knows how to modify the blocks to grab another prefix for em2, that's what i'm trying to do. I tried various permutations of adding prefixes, but it always seems to want to assign an address from the same /64 to em2 as is already assigned to em1. I know this is an edge case, but hopefully someone in the hive can pull through!

Why? In normal business cases where dynamic routing is involved, this would make sense...but for home use? Just slice up that /64 (unless you're doing some other odd stuff)

I'm using radvd on my inside interface which (I don't believe) will announce anything smaller than a /64. I also believe there was an RFC back in the day that said "Thou shalt not announce anything smaller than a /64" - but I could either be mistaken or that has changed.

"Thou shalt not announce anything smaller than a /64" - but I could either be mistaken or that has changed.

No, you're not mistaken. Other than new acceptance of /128s, it's the norm...and considered to be the smallest subnet...but this really means "it's the smallest subnet most dynamic routing protocols will advertise"

You should, however, be able to get away with RADVD on *one* of your subnets, and manually manage your DMZ. Are you actually using SLAC on your "non-DMZ" subnet?

You should, however, be able to get away with RADVD on *one* of your subnets, and manually manage your DMZ. Are you actually using SLAC on your "non-DMZ" subnet?

I'm manually managing my DMZ interface, but I need to have another subnet routed to me for me to be able to assign addresses to that DMZ, since RADVD is advertising the /64 on my inside interface. I'm running RADVD with an essentially empty config file, just advertising whatever /64 is assigned to the inside interface via DHCPv6 - since this subnet may change at some point.

DHCPv6 pulls a /128 from Comcast which acts as a transit network. DHCPv6 also pulls a /64 from Comcast and assigns it to interface X, in this case em1 which is my inside interface. Since it is pulled via DHCP(v6), I'm assuming this can change just like Comcast will sometimes change it's v4 address assigned to me.

So my inside interface gets automatically assigned a /64 - I don't think I can split that up manually. RADVD runs on the inside interface and announces the /64 to my inside network. The only way I could think of getting what I want is if I were to request a second prefix for my DMZ interface via DHCPv6.

....ooookay...I've never seen this before, but if you say so. (I haven't worked with Comcast's IPv6 deployment yet). Are you *sure* this would change to any meaningful degree? I kind of doubt it...since you'll likely be in the same /56 across your neighborhood area, and there is very little reason for this to change.

However, are you SURE this is how it's working? (not saying it isn't, I'm just making sure we're working from the same set of assumptions)

Quote:

RADVD runs on the inside interface and announces the /64 to my inside network

Okay. So let's think about it.

The RADVD router will advertise a prefix, MTU, and router address (periodically shouting it out via multicast, and also respond to requests).

However, that doesn't mean clients have to listen (or ask). A manually configured client (aka DMZ host) could be configured with, say, a /68...and it will simply ignore those RADVD multicast announcements. Assuming you use a proper longer prefix that would fall within the larger /64, the DMZ hosts should be able to communicate with the router just fine, and vice versa. The DMZ hosts may or may not (I believe the latter to be accurate) be able to communicate with the non-DMZ clients, but I'd imagine the clients could initiate communication with them just fine (not tested, I'm just thinking this through...I'd think NDP would work just fine here).

You know, just thinking out loud here, have you called Comcast about this? They may just be able to supernet you into a /62 or /60, and call it a day (because then you could carve up to smaller /64's without worrying about it.

You know, just thinking out loud here, have you called Comcast about this? They may just be able to supernet you into a /62 or /60, and call it a day (because then you could carve up to smaller /64's without worrying about it.

I am under the impression that nobody at Comcast residential help knows what IPv6 is, unless I could track down Jason Livingood or someone from the IPv6 team.

I should be able to grab a larger subnet with DHCPv6, up to a /60 according to comcast, but it appears that they have turned this feature off for now, because when I try to request a larger subnet, it barks at me.

Also, if I get assigned a /60 on my internal subnet, how do I split that up and decide what prefix goes on what interface? I'm not sure that I am able to manually assign prefixes to whatever interface I want. My theory is that it has to be assigned by DHCPv6, and if I don't have that interface-binding in my dhcp6c.conf, Comcast will not route that prefix to me.

Also, if I get assigned a /60 on my internal subnet, how do I split that up and decide what prefix goes on what interface? I'm not sure that I am able to manually assign prefixes to whatever interface I want. My theory is that it has to be assigned by DHCPv6, and if I don't have that interface-binding in my dhcp6c.conf, Comcast will not route that prefix to me.

Since it is pulled via DHCP(v6), I'm assuming this can change just like Comcast will sometimes change it's v4 address assigned to me.

I moved my OpenBSD VM and while my external ipv4 didn't change, my v6 prefix did

I wonder if they have some kind of a timeout setting similar to a DHCP lease.

That sucks if that's what's going on. The main thing I'm looking for in IPV6 is a static IP. Although thinking about it it's sort of weird too. I mean, I thought that comcast would essentially give you a block of addresses and then you'd assign them either statically or through your own dhcpv6 server. This goes to show that theirs a lot of stuff I'm missing with regard to IPV6.

If your DMZ is connected through a second IPv6 router, set up the first one as a DHCPv6 relay. If both routers ask for a prefix using separate DUIDs there's a chance they both get one. If it's one router, see if you can run a second instance of the DHCPv6 client with a second DUID.